Embedded C Static Analysis Tools and ADAS Vehicle Data Validation

My mother loves to use expressions when she talks and one of her favorites is, “take it with a grain of salt.” Just in case you don’t know, that saying means you should question what that person is telling you. This idiom is very applicable when it comes to incoming sensor data in vehicles with advanced driver assistance systems (ADAS). Incomplete or incorrect data can lead to a car deducing false negatives or positives. It’s important that your system is able to detect when the information coming in is wrong, so that it can respond appropriately. Using multiple sensors to detect a vehicle’s environment can mitigate the effects of false negatives or positives. On the code side, a good static analysis tool can help you trace incoming data’s path through your code and help you develop software solutions.

Sources of False Information

When treating an illness you want to take care of the underlying disease, not just the symptoms. One of the elemental causes of false positives and negatives is bad data. That can come from a variety of places, but I’ll focus on environmental conditions and intentional interference.

Accurately sensing an environment is difficult. Building a picture of what’s around a vehicle that is traveling 70 mph on a highway becomes quite troublesome. Whether there’s fog clouding the vision of your passive visual sensors, or multipath returns are introducing error into your LIDAR array, your sensors won’t always work as expected. Random environmental issues may not be your only concern. One research group has been investigating ways to trick car sensors using stickers. Using carefully placed stickers disguised as graffiti, these researchers have gotten cars to misidentify signs a majority of the time. What to us is obviously a stop sign is instead read as 45 mph posting. Obviously false positives and negatives, purposeful or not, are dangers. However, they’re not the only interference you need to worry about.

Some hackers may try to inject information into your data streams in order to get into the system. Typically an attacker might try to breach the wireless network, or simply plug into an electrical port when inside the car. While you may have thought about how to counter those attacks, command injection through sensors also poses a risk. One of the more common methods is to alter a sensor’s data stream in order to cause a buffer overrun. A buffer overflow can cause a program to crash and fail, which could possibly take down a sensor. Even if that’s for a short period of time it may be dangerous. There’s also an additional risk that the attacker can use a buffer overrun to inject malicious code into the program’s memory. If you assume that every error or buffer overflow is being caused by environmental error, you may not catch this kind of attack. Now that you know it’s possible to use sensor data streams to breach your system we can talk about how to mitigate the consequences.

A few carefully placed stickers could trick sensors into misidentifying any sign.

Reducing Risk With Multiple Sensor Fusion

One way to verify some gossip that you’ve taken with a grain of salt is to have other people verify it. Multi-sensor fusion allows you to do this with sensor data streams. You can use contextual information from all sensors to verify data coming in from a single sensor.

Multiple sensor fusion combines the outputs of a variety of sensors in order to get an accurate picture of the environment. Even the Internet of Things (IoT) is starting to use this concept, and it should be widely implemented in cars to reduce the risk of accidents. So, let’s say that someone has placed some stickers on a stop sign to try and get your car to identify it as a speed limit sign. Your passive visual sensors may be tricked by that kind of thing because they look at the sign’s words, shape, and colors. A LIDAR array, though, would simply see a hexagon, implying a stop sign. Then you could match the results against each other. Passive visual sees a 45 mph sign, while LIDAR thinks it’s a stop sign. At that point, you could either trust whichever system you deem more reliable or give control back to the driver.

Multi-sensor fusion should help your car determine its context in order to determine if the information it’s getting is accurate. If your car is going 80 mph, and all other cars around it are going 80 mph maybe it can assume it’s on an interstate or highway, where there will be no stop signs. If it reads a stop sign on the side of the road, it can assume a false positive. Context is essential for safe driving, and multiple sensor fusion will help your vehicle correctly evaluate its environment.

Sensor data streams are at risk for code injection attacks.

Tracing Data Through Your Software

Sometimes you can run into problems with false negatives/positives, simply because it’s difficult to actually track data as it moves through your program. A good static analysis tool will help you run your code step by step and will help you find areas where you need to design checks or failsafes.

As discussed earlier, outside data can taint your system, causing buffer overflow and allowing hackers to inject their own code into your program.Tracing how your program handles incoming information can help you protect your code against attacks. Maybe you forgot to ensure that incoming data is the correct length before assigning it to a variable. A good static analysis program can highlight that issue for you, and remind you to check length to prevent possible buffer overrun. You may have a tainted variable coming in, and not remember that it has 15 other variables depending on it. Those variables and their pieces of code are then at risk. If you don’t know which variables are dependent on others, though, you won’t be able to protect your program from corrupted data.

Security is very important in ADAS cars. There are many things that can cause your systems to fail. Everything from purposeful or accidental environmental errors, to malicious code injection through sensor data streams. These are not, however, insurmountable problems. Implementing multi-sensor fusion in your system can help your vehicle determine context. Once it has a good picture of its environment, it will be able to tell when a sign, or any other external rule, is out of place. Checking your software with static analysis can also help. Using a static analyzer will allow you to track data as it moves through your system, and help you determine which parts of your code need better protection.

While there are lots of static analysis tools out there, not so many are made specifically for ADAS enabled vehicle development. TASKING makes software that is specifically for the ADAS vehicle market. Their static analyzer can not only help you trace data but is also made to assist in programming memory protection units (MPU). This kind of software is made to enable you to create the safest software possible.